WORM_SAROS.A

Discussion in 'malware problems & news' started by Randy_Bell, Aug 7, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_SAROS.A is a non-destructive worm that propagates via email and IRC. When the infected computer system’s date is the 11th or 23rd of any month, the worm displays a message box, and modifies the default Internet Explorer home page to www.gedzac.tk. This worm is currently spreading in-the-wild, and it infects systems running Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this worm displays two message boxes, purporting to be Microsoft Windows Update messages. It then drops copies of itself in the Windows system folder using the following file names:
    • Love-ScreenSaver.scr
    • MSOutlookInternetUpdate.exe
    • NonYou.exe
    • ABOUT.HTA
    • NSTDNRDLL32.VBS
    The file, ABOUT.HTA is a non-malicious HTML file that displays the following:

    GEDZAC Labs
    2004
    Have a nice Program for You
    NonYou
    Coded by Sarosoft
    Dedicated to my Love Rosy

    The file NSTDNRDLL32.VBS is a malicious VBscript component of this worm that handles its propagation routine, and also contains codes that add autostart registry entries. This worm also drops a copy of itself as the following file:

    %Program%\Mirc\tdll32.dll
    (%Program% refers to the Windows program files folder)

    This file is an IRC (Internet Relay Chat) script that sends a copy of the worm to all users who are in the same channel as the user. It also drops a copy of itself in the network shares of many popular peer-to-peer file-sharing applications, using any of several file names.

    To propagate via email this worm’s VBscript component creates an email and sends it to all addresses listed in the infected user’s Windows address book. The details of the email are as follows:

    Subject: Microsoft Outlook News
    Message Body: Microsoft Outlook Update / Bug Fixed - Contact: support@microsoft.com
    Attachment: MSOutlookInternetUpdate.exe

    This worm sets Microsoft Outlook to delete the mail after sending.When the infected system’s date is the 11th or 23rd of any month, the worm displays the following message box:

    NonYou
    Rosy Ti Amo - Saro & Rosy Forever
    Gedzac Group 2004
    NonYou.a Gedzac Labs Productions
    Coded by Sarosoft - Dedicated to my Love Rosy
    Gedzac Group 2004 - http://www.gedzac.tk
    Gedzac
    The Virus Crew

    On the above-mentioned dates, it also modifies the default Internet Explorer home page to www.gedzac.tk. It then executes the file ABOUT.HTA. This worm also lowers the security setting of Microsoft Outlook and removes the .EXE file attachment blocking by adding registry entries. It also connects to http://windowsupdate.com.

    If you would like to scan your computer for WORM_SAROS.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_SAROS.A is detected and cleaned by Trend Micro pattern file 1.952.07 and above.
     
Thread Status:
Not open for further replies.